Many versions of the PuTTY client have a subtle vulnerability that can allow an attacker to compromise some private keys and then forge signatures and log into any remote servers on which those keys are used.
The bug affects versions 0.68-0.80 of PuTTY, a popular client used for SSH, Telnet, and other remote communication protocols, and derives from the fact that when using a specific NIST elliptic curve, the client produces biased ECDSA nonces. The weakness only applies to 521-bit ECDSA keys generated when using the NIST P521 curve. In order to exploit this vulnerability, an attacker would need to see a few dozen signatures from the private key, but that is a plausible scenario. Researchers at Ruhr University in Germany discovered the flaw and published details of it on Monday. The bug has been fixed in PuTTY 0.81.
“The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents,” the advisory from the Ruhr University researchers says.
“Luckily, client signatures are transmitted within the secure channel of SSH, requiring a malicious server to acquire such signatures. If the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant to a development host), the publicly available signatures (e.g., on GitHub) can be used as well.”
PuTTY has been around for more than 20 years and while it was developed for Windows originally, it’s open source and has been ported to some other operating systems. The client can be used for remote sessions on servers, file transfers, and other functions. The Ruhr University researchers said that users should discard any client keys generated by the NIST P521 curve on affected versions of PuTTY.
“All NIST P-521 client keys used with PuTTY must be considered compromised, given that the attack can be carried out even after the root cause has been fixed in the source code (assuming that ~60 pre-patch signatures are available to an adversary),” the advisory says.